so because all the hashed passwords and emails were leaked. mtgox is going to authenticate accounts through emails...by entering the old password. and a new password...

then gives the option of adding additional information. like dwolla which would be most common, which u sign in from your email. whoose password recovery works through email. so if someone had access to the account becuase the mtgox password is the same as the email which is common. they could find emails from dwolla, do a password recovery to the email. and viola a malicious attack on personal mtgox accounts.

soooo fucking stupid.

Edit: i am wanting to see if my mtgox has been emptied. cant wait ::thumbs up:: thanks mtgox!

so because all the hashed passwords and emails were leaked. mtgox is going to authenticate accounts through emails...by entering the old password. and a new password...

then gives the option of adding additional information. like dwolla which would be most common, which u sign in from your email. whoose password recovery works through email. so if someone had access to the account becuase the mtgox password is the same as the email which is common. they could find emails from dwolla, do a password recovery to the email. and viola a malicious attack on personal mtgox accounts.

soooo fucking stupid.

Edit: i am wanting to see if my mtgox has been emptied. cant wait ::thumbs up:: thanks mtgox!

duran they've setup a second "proof" procedure. ip/bank account or whatever you can provide.

This goes far beyond, one account, a measly $1k, and a user database. this is means anyone who used the same password for their email could have the passwords to other accounts recovered to the email without knowing the original. so get access to the email. find where they have accounts. paypal, bitmarket, banks, this forum, their mining sites, dating sites, dwolla, liberty reserve, everything. they might of sent a an ecrypted zip of their wallet to themselves via their email. they might of had a very important conversation with someone. money pak numbers in emails. endless possibilities. amazon accounts, ebay, godaddy, ect ect ect. this spiderwebs out.

even lulzier is bitcoin is a community of people who mine by decoding hashes. someone with a killer mining set up could rainbow table the shit out of any encryption. md5 encryptions can be easily cracked by morons via sites like md5decrypter.co.uk and the freebsdmd5 hashes by process's like this http://hansatan.com/?d=jtrguide

So theyre going to dictate the price at 17.50 when the exchange comes back. who values this shit at $17 right now? someone bought a fuckload for penny each. and were supposed to buy at $17.50. i mean thats all fine and dandy for everyone getting out of bitcoins, but thats no good for the market in general.

mtgox is a buncha fuckups who lost lots of people alot of money, set back a revolution and wont take responsibility for handing out the database to an auditor for reasons unknown. i know what auditors do, no reason for him to have emails and logins. fucking morons down at mtgox have fucked up big time.

Could someone point me towards some information where we, the MtGox user base, have verified that the people claiming to be Mt. Gox are who they say they are? I do hope that, after a security incident like this, people aren't just handing over more of their financial and personal information just because they're asking for it.

This goes far beyond, one account, a measly $1k, and a user database. this is means anyone who used the same password for their email could have the passwords to other accounts recovered to the email without knowing the original. so get access to the email. find where they have accounts. paypal, bitmarket, banks, this forum, their mining sites, dating sites, dwolla, liberty reserve, everything. they might of sent a an ecrypted zip of their wallet to themselves via their email. they might of had a very important conversation with someone. money pak numbers in emails. endless possibilities. amazon accounts, ebay, godaddy, ect ect ect. this spiderwebs out.

even lulzier is bitcoin is a community of people who mine by decoding hashes. someone with a killer mining set up could rainbow table the shit out of any encryption. md5 encryptions can be easily cracked by morons via sites like md5decrypter.co.uk and the freebsdmd5 hashes by process's like this http://hansatan.com/?d=jtrguide

So theyre going to dictate the price at 17.50 when the exchange comes back. who values this shit at $17 right now? someone bought a fuckload for penny each. and were supposed to buy at $17.50. i mean thats all fine and dandy for everyone getting out of bitcoins, but thats no good for the market in general.

mtgox is a buncha fuckups who lost lots of people alot of money, set back a revolution and wont take responsibility for handing out the database to an auditor for reasons unknown. i know what auditors do, no reason for him to have emails and logins. fucking morons down at mtgox have fucked up big time.

It's a good thing you're long-winded because otherwise you would win my "most fails per word" award...

Let's take these one at a time...

even lulzier is bitcoin is a community of people who mine by decoding hashesNo, we generate hashes until they fall below an arbitrary value, hashes cannot be "decoded" only recreated. This is similar to the way a brute force hash-collision attack works, but not quite the same.

someone with a killer mining set up could rainbow table the shit out of any encryptionNot every encryption schema is susceptible to rainbow tables. As a matter of fact, no one really uses rainbow tables for encryption because you'd have to have a sample for every possible plaintext encrypted with every possible key to do so, which would result in immeasurably large files. We use rainbow tables for hashing algorithms. Furthermore, aside from a handful of very old accounts, Mt. Gox did at least use salt with their MD5 which renders rainbow tables ineffective and requires time be spent to specifically brute force one password at a time. If you had a password of sufficient complexity, you would still be safe from this attack for a pretty reasonable period of time (measured in years).

So theyre going to dictate the price at 17.50 when the exchange comes back. who values this shit at $17 right now?No one does, not even Mt. Gox. The price is rolling back to $17.51 because that's what the top (most recent) transaction in their database was at when the attack occurred. When the system comes back online, it will be free to move in whatever direction the market is currently valuing BTC at. People will cancel their buy/sell orders and place them at more reasonable points surrounding the current trade value.

someone bought a fuckload for penny each. and were supposed to buy at $17.50Yes, but it really only matters what someone was able to cash out after buying at $0.01. I don't have the post in front of me but "Kevin" claims to have been able to cash out ~600 BTC, worth around $8,000 at current market values. Still quite a bit of cash, but not the "fuckload" you claim or the 263,000 that were actually purchased before the rollback.

mtgox is a buncha fuckups who lost lots of people alot of money, set back a revolution and wont take responsibility for handing out the database to an auditor for reasons unknown. i know what auditors do, no reason for him to have emails and logins. fucking morons down at mtgox have fucked up big time.Now I do at least agree with you a bit here. I might use more "grown-up" language to express my opinion of Mt. Gox but I do feel that they've managed to hurt the bitcoin economy and community via their poor security. I also agree that unless the "auditor" was actually a security auditor, he/she had no business in the login database. It might be the case that Mt. Gox stores their login data within a table in the same database as their trades, which would be one more security failure on their part in my humble opinion.

anyone who used the same password for their email could have the passwords to other accounts recovered to the email without knowing the originalAlthough you wrote this in the most convoluted way possible, I think I understand you to be saying "if people used the same passwords in multiple places, this could lead to the compromise of even more accounts" which would be true. Of course this is why we always say to never use the same password for multiple systems, not that anyone listens. This is one of the few places where the onus of security is placed squarely on the shoulders of the individual; Mt. Gox could have forced secure passwords upon their users, additional authentication factors, all kinds of things - but they can't force their users NOT to use their GMail password at the exchange.

ok check it if salted hashes are so hard to break and such a nonissue. think. hacker took database. took control of major bitcoin holders account. to do that, he needed the password, if i had 400k bitcoins best believe theyve been to the site in 2 months. so he cracked the password of his choosing. yeah cracking salts takes a while. but getting $xx,xxx is pretty motivating if u have an idea where to look.

for example. i know this is terrible of me to post but im sure hes been hit.

[deleted by poster] has more posts on this forum then anyone. safe to say he prolly does some shit with bitcoins right?well i looked up his name in the now public db.

[deleted by poster]

a google seach of his email brings up this.[deleted by poster]

i bet he used the same pw somewhere. best believe i wasnt the first person to think of this. i picked the highest profile person i could and theres his info. not salted. i didnt post the cracked password and hopefully hes changed everything. if not, hes screwed. mtgox's fault.

so since your not worried at all. i found your account. how many coins and mtgoxusd u got in there?[deleted by poster]

ok check it if salted hashes are so hard to break and such a nonissue. think. hacker took database. took control of major bitcoin holders account. to do that, he needed the password, if i had 400k bitcoins best believe theyve been to the site in 2 months. so he cracked the password of his choosing. yeah cracking salts takes a while. but getting $xx,xxx is pretty motivating if u have an idea where to look.

for example. i know this is terrible of me to post but im sure hes been hit.

kiba has more posts on this forum then anyone. safe to say he prolly does some shit with bitcoins right?well i looked up his name in the now public db.

i bet he used the same pw somewhere. best believe i wasnt the first person to think of this. i picked the highest profile person i could and theres his info. not salted. i didnt post the cracked password and hopefully hes changed everything. if not, hes screwed. mtgox's fault.

ok check it if salted hashes are so hard to break and such a nonissue. think. hacker took database. took control of major bitcoin holders account. to do that, he needed the password, if i had 400k bitcoins best believe theyve been to the site in 2 months. so he cracked the password of his choosing. yeah cracking salts takes a while. but getting $xx,xxx is pretty motivating if u have an idea where to look.

for example. i know this is terrible of me to post but im sure hes been hit.

kiba has more posts on this forum then anyone. safe to say he prolly does some shit with bitcoins right?well i looked up his name in the now public db.

i bet he used the same pw somewhere. best believe i wasnt the first person to think of this. i picked the highest profile person i could and theres his info. not salted. i didnt post the cracked password and hopefully hes changed everything. if not, hes screwed. mtgox's fault.

so since your not worried at all. i found your account. how many coins and mtgoxusd u got in there?enmaku enmaku@gmail.com $1$6rtyT8QJ$3iHX7P3.5nzEBZBALi.lA.

He makes some good points. His delivery is just a little rough. Md5 is broken, and everyone's hash, username, and hash are out there. Having bitcoins makes us all targets, and we need to take security seriously. Unfortunately, I suspect this will lead to bitcoin banks who secure people's bitcoins for them.

As we slide down the banister of life, this is just another splinter in our ass.

to the people saying im a troll and i should be banned, I would love to hear the reasoning behind this.

im a guy with quite a bit invested in mtgox. I am publicly pointing out security issues at the fault of mtgox, that could be used to find out the identities of users, their emails, take control of their finances, bank accounts, their forum account here, their facebook, whatever someone found useful. while mtgox leaves out the hacker had to of cracked the "impossible" salted password for the account that was hijacked and attempted to be emptied.

check it out. other then the coins and mtgoxusd i had in my account, i am not worried, ive changed and secured every account i have and i dont invest more then im willing to risk. so it sucks but my lifes not changing. other people tho. they may not of realized the severity of the database leak. this goes beyond just mtgox. im looking out for others not myself. so reconsider who needs banned, maybe mtgox who just profited off the community at the risk of all their users and totally comprised things bitcoin stands for like anonymity. ban mtgox. not me.

Duran, I think you upset people because you basically just made threats along the lines of "You disagree with me? Well oh gee your family lives at 165 Lincoln Ave? It sure would be a pity if they all accidentally died."